Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[FIXED 6.1.7] OpenSSH: client bug CVE-0216-0778

Featured Replies

http://undeadly.org/cgi?action=article&sid=20160114142733

 

As it stands this looks like it will be an urgent fix to deploy.

 

* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1

  contains experimential support for resuming SSH-connections (roaming).

 

  The matching server code has never been shipped, but the client

  code was enabled by default and could be tricked by a malicious

  server into leaking client memory to the server, including private

  client user keys.

 

  The authentication of the server host key prevents exploitation

  by a man-in-the-middle, so this information leak is restricted

  to connections to malicious or compromised servers.

 

  MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client

  can be completely disabled by adding 'UseRoaming no' to the gobal

  ssh_config(5) file, or to user configuration in ~/.ssh/config,

  or by passing -oUseRoaming=no on the command line.

http://undeadly.org/cgi?action=article&sid=20160114142733

 

As it stands this looks like it will be an urgent fix to deploy.

 

* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1

  contains experimential support for resuming SSH-connections (roaming).

 

  The matching server code has never been shipped, but the client

  code was enabled by default and could be tricked by a malicious

  server into leaking client memory to the server, including private

  client user keys.

 

  The authentication of the server host key prevents exploitation

  by a man-in-the-middle, so this information leak is restricted

  to connections to malicious or compromised servers.

 

  MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client

  can be completely disabled by adding 'UseRoaming no' to the gobal

  ssh_config(5) file, or to user configuration in ~/.ssh/config,

  or by passing -oUseRoaming=no on the command line.

 

While we will patch this, it's actually not as urgent as you think.  This is an SSH CLIENT issue, not a server issue.  While we do include the ssh client with unRAID, the bug is only relevant if you are using it to initiate an SSH session from unRAID to another system, which isn't something we directly support or suggest (it would require you to login via command line to do this).  Connections TO unRAID from other devices does not make unRAID vulnerable to this bug.

Keep in mind that some people use rsync over ssh to remote servers locally and over the internet (and over a VPN).

Keep in mind that some people use rsync over ssh to remote servers locally and over the internet (and over a VPN).

Which is why we will patch it, but that isn't technically something we directly support or even suspect a large percentage of our users to be doing.  Just trying to highlight the difference in criticalness between this type of bug that only affects a few extra savvy users compared to the majority that restrict themselves to the confines our what unRAID OS provides through the webgui.

Just an FYI, this is now patched in 6.1.7!!  Hoping to see a release tonight!!

Just an FYI, this is now patched in 6.1.7!!  Hoping to see a release tonight!!

 

soon™ has been retired ?

 

:(

  • Author

Just an FYI, this is now patched in 6.1.7!!  Hoping to see a release tonight!!

 

Good news.

 

However can you confirm this as openssh (SSA:2016-014-01) was not in the release notes

Just an FYI, this is now patched in 6.1.7!!  Hoping to see a release tonight!!

 

Good news.

 

However can you confirm this as openssh (SSA:2016-014-01) was not in the release notes

Yes, Eric caught we missed that in the release notes but its actually there.

  • Author

Please update the release notes to close down this CVE as complete and solved.

 

Compliments on the fast turn around.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.